Pollard's kangaroo algorithm

In computational number theory and computational algebra, Pollard's kangaroo algorithm (aka Pollard's lambda algorithm, see Naming below) is an algorithm for solving the discrete logarithm problem. The algorithm was introduced in 1978 by the number theorist J. M. Pollard, in the same paper [1] as his better-known ρ algorithm for solving the same problem. Although Pollard described the application of his algorithm to the discrete logarithm problem in the multiplicative group of units modulo a prime p, it is in fact a generic discrete logarithm algorithm—it will work in any finite cyclic group.

Contents

Suppose is a finite cyclic group of order which is generated by the element , and we seek to find the discrete logarithm of the element to the base . In other words, we seek such that . The lambda algorithm allows us to search for in some subset . We may search the entire range of possible logarithms by setting and , although in this case Pollard's rho algorithm is more efficient. We proceed as follows:

Pollard gives the time complexity of the algorithm as , based on a probabilistic argument which follows from the assumption that f acts pseudorandomly. Note that when the size of the set {a, …, b} to be searched is measured in bits, as is normal in complexity theory, the set has size log(b − a), and so the algorithm's complexity is , which is exponential in the problem size. For this reason, Pollard's lambda algorithm is considered an exponential time algorithm. For an example of a subexponential time discrete logarithm algorithm, see the index calculus algorithm.

The first is "Pollard's kangaroo algorithm". This name is a reference to an analogy used in the paper presenting the algorithm, where the algorithm is explained in terms of using a tamekangaroo to trap a wild kangaroo. Pollard has explained[2] that this analogy was inspired by a "fascinating" article published in the same issue of Scientific American as an exposition of the RSApublic key cryptosystem. The article[3] described an experiment in which a kangaroo's "energetic cost of locomotion, measured in terms of oxygen consumption at various speeds, was determined by placing kangaroos on a treadmill".

The second is "Pollard's lambda algorithm". Much like the name of another of Pollard's discrete logarithm algorithms, Pollard's rho algorithm, this name refers to the similarity between a visualisation of the algorithm and the Greek letterlambda (). The shorter stroke of the letter lambda corresponds to the sequence , since it starts from the position b to the right of x. Accordingly, the longer stroke corresponds to the sequence , which "collides with" the first sequence (just like the strokes of a lambda intersect) and then follows it subsequently.

Pollard has expressed a preference for the name "kangaroo algorithm",[4] as this avoids confusion with some parallel versions of his rho algorithm, which have also been called "lambda algorithms".